Ulrich Windl wrote:
I created one test user with a ppolicy, and expectation is that on first login the passowrd should be canged (minus grace logins).
People fail to understand that it's the LDAP client's responsibility to enforce this based on the ppolicy response control returned to the client.
=> Therefore I consider this "enforce password change on initial login" to be bad practice anyway. I strongly recommend to rethink your password reset process.
Ciao, Michael.